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Abstract 

Partial functions are common abstractions in formal specification notations such as Z, 
B and Alloy. Conversely, executable programming languages usually provide little or no 
support for them. In this paper we propose to add partial functions as a primitive feature 
to a Constraint Logic Programming (CLP) language, namely {log}. Although partial 
functions could be programmed on top of {log}, providing them as first-class citizens adds 
valuable flexibility and generality to the form of set-theoretic formulas that the language 
can safely deal with. In particular, the paper shows how the {log} constraint solver is 
naturally extended in order to accommodate for the new primitive constraints dealing 
with partial functions. Efficiency of the new version is empirically assessed by running 
a number of non-trivial set-theoretical goals involving partial functions, obtained from 
specifications written in Z. 

KEYWORDS: CLP, {log}, set theory, partial functions 


1 Introduction 

Given any two sets, X and Y, a binary relation between X and Y is any subset of 
the power set oi X xY, P(X x Y). Partial functions are just a particular kind of 
binary relations, in which ordered pairs are restricted to verify the classical notion 
of function—i.e. that each element in the domain is mapped to at most one element 
in the range—, although they may be undefined for some elements in the domain— 
i.e. they are partial. Binary relations are in turn just sets of ordered pairs. Then, all 
relational operators (such as dom, ran, §, etc.) can be applied to partial functions 
and all set operators can be applied to both of them. Conversely, and this feature 
distinguishes partial functions from binary relations, if x is an element in the domain 
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of a partial function / then f(x) is defined as the element, y, in the range of / such 
that {x, y) e /. 

The motivation for adding partial functions to specification/programming lan¬ 
guages is primarily to enhance the language’s expressive power. In fact, partial 
functions constitute a powerful and convenient data abstraction. As an example, 
the relation between the key of a table and the rest of its columns is naturally 
modeled as a partial function. Partial functions are common in formal specifica¬ 
tion notations, such as Z ( [Spivey 1992D , B (lAbrial 1996P and Alloy ([Jackson 200311 . 
which are mainly used to specify state-based systems (notice that, many concepts 
or features of these systems are best represented as partial functions, not as total 
functions). Usefulness of partial functions in executable programming languages is 
attested by the common presence of library facilities, e.g. the map class of Java and 
C-I--I-, that support at some extent the partial function abstraction. Availability of 
maps, dictionaries or similar associative data structures as primitive components 
of some programming languages, such as SETL ([Schwartz et al. 1986P or Phyton, 
also attests usefulness of the partial function abstraction. 

Partial functions (or maps or, more generally, binary relations) can be added nat¬ 
urally also to CLP languages with sets, as observed for instance in ([Gervet 2006^ . 
In particular, in ([Cristia et al. 2013P we have shown how partial functions can be en¬ 
coded in the CLP language with sets {log} (pronounced ‘setlog’) ([Dovier et al. 2000| . 
Specifically, partial functions can be represented in {log} as sets of pairs, where each 
pair (x, y) is represented as a list of two elements [x, y\. Operations on partial func¬ 
tions can be implemented by user-defined predicates in such a way to enforce the 
characteristic properties of partial functions over the corresponding set representa¬ 
tions. 

When partial functions are completely specified this approach is satisfactory, at 
least from an ‘operational’ point of view. On the other hand, when some elements 
of a partial function or (part of) the partial function itself are left unspecified—i.e., 
they are represented by unbound variables—then this approach presents major 
flaws. For example, the predicate ran(F,{l}), which holds if {1} is the range 
of the partial function F, admits infinite distinct solutions F = {[Xl,l]}, F = 
{[Xl,l] , [X2,l]}, . . ., whenever F is unbound. If subsequently a failure is de¬ 
tected, such as with the goal ran(F, {!}) & dom(F, {}), then the computation loops 
forever and {log} is not able to detect the unsatisfiability. 

Making the implementation of predicates over partial functions more sophisti¬ 
cated as shown for instance in Cristia et al. (2013) may help in solving more ef¬ 
ficiently a larger number of cases, but does not provide a completely satisfactory 
solution in the general case. In fact, there are still cases, such as that considered 
above, in which there is no simple finite representation of the possibly infinite so¬ 
lutions and this may cause the interpreter to go into infinite computations. 

Most of the above mentioned problems could be solved by viewing partial func¬ 
tions as first-class entities of the language and the operations dealing with them as 
primitive constraints, for which the constraint language provides a suitable solver. 
Hence, the motivation for managing partial functions through constraint solving is 
primarily to enhance the language effectiveness, that is the ability to compute the 
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satisfiability/unsatisfiability of as many as possible (complex) set-based formulas 
involving partial functions. Selecting {log} as the host constraint language for this 
embedding gives one the possibility to exploit its flexible and general management 
of sets to represent partial functions and to provide many basic set-theoretical 
operations on partial functions as primitive set constraints for free. Other more 
specific operations on partial functions can be added to the language as primitive 
constraints and the solver can be extended accordingly. 

The main original results of this work are: (i) the identification of a small set of 
operations on partial functions, to be dealt with as primitive constraints, which are 
sufficient to represent all other common operations on partial functions as simple 
conjunctions of these constraints; (ii) the definition of a collection of rewrite rules 
to simplify conjunctions of primitive constraints; (iii) the definition of a labeling 
mechanism based on the notion of finite representable domains for partial functions; 
(iv) the definition of a collection of inference rules to detect possible inconsistencies 
without the need to perform time-consuming labeling operations. 

At our knowledge, only very few works have addressed the problem of adding par¬ 
tial functions as primitive entities in a C(L)P setting. For instance, the Conjunto 
language (|Gervet 1997^ provides relation variables at the language level. However, 
the domain and the range of the relations are limited to ground finite sets. Map 
variables where the domain and range of the mapping can be also hnite set variables 
are introduced in CP (Map) ([Deville et al. 200^ . All these proposals, however, do 
not consider the more general case of partially specified partial functions—where 
some elements of the domain or the range can be left unknown—which on the 
contrary are essential in our proposal. Moreover, the collection of primitive con¬ 
straints on map variables they provide is usually restricted to very few constraints, 
in particular to model the function application operation. 

The rest of this paper is organized as follows. In Section [51 we briefly recall the 
main features of the language {log}. The new extended language with partial func¬ 
tions is presented in Section [31 focusing on what is new with respect to {log}. In 
Section 3] we describe the constraint rewriting procedures for the new constraints 
and the global organization of the constraint solver. The labeling mechanism with 
the introduction of pf-domains is addressed in Section O Section [6] introduces a 
number of inference rules that allow the solver to decide satisfiability of irreducible 
constraints without having to resort to pf-domains, thus improving its overall effi¬ 
ciency. A practical assessment of the performance of the new solver is provided in 
Section |7l 


2 {log} 

{log} is a Constraint Logic Programming (CLP) language, whose constraint do¬ 
main is that of hereditarily finite sets —i.e., finitely nested sets that are finite at 
each level of nesting, {log} allows sets to be nested and partially specified —e.g., 
set elements can contain unbound variables, and it is possible to operate with sets 
that have been only partially specified, {log} provides a collection of primitive con- 






4 


M. Cristid, G. Rossi and C. Frydman 


straint predicates, sufficient to represent all the most commonly used set-theoretic 
operations—e.g., union, intersection, difference. 

The {log} language was first presented by Dovier et al. (19961. A complete con¬ 
straint solver for the pure CLP fragment included in {log} —called CLP(<SfT)—is 
described by Dovier et al. (2000), while its extension to incorporate intervals and 
Finite Domain constraints is briefly presented by Dal Palu et al. (2003). Hereafter, 
with the name CLP(<S£’7”) we will refer to this last version of our constraint lan¬ 
guage, while {log} will refer to the whole language including CLP(<SfT), along 
with a number of other syntactic extensions and extra-logical Prolog-like facilities. 
A working implementation of {log} (actually, an interpreter written in Prolog) is 
available on the web (jPossi 20081) . 

Sets are denoted by set terms. For example, {1,1,2}, {2,1}, and {1,2} are set 
terms, all denoting the same set of two elements, 1 and 2; {A, Dlls'} is a set term 
denoting a partially specified set containing one or two elements, depending on 
whether X is equal to Y or not, and a, possibly empty, unknown part S. 

A primitive SET-constraint is defined as any literal based on the set of predicate 
symbols He = {=, in , un, disj, <, size, set, integer}. Symbols in He have their natural 
set-theoretic interpretation. In particular, the predicate un represents the union 
relation (un(r, s, t) holds if and only if t = r U s), while the predicate disj represents 
the disjoint relation between two sets (disj(s,t) holds if and only if s fit = 0). Most 
other useful set-theoretical predicates, e.g., subset and inters, can be defined as SET- 
constraints, using disj and un —e.g., subset(M, u) unjn, u, r;) (|Dovier et al. 20001) . 
As an example, the following formula, inters(i?. S', T) A size(T, TV) A N =< 2, is 
an admissible SST-constraint whose (informal) interpretation is: the cardinality of 
i? n S must be not greater than 2. 

CLP {SET) is endowed with a complete constraint solver, called SATsst^ for 
verifying the satisfiability of SST-constraints. Given a constraint C, SATseriC) 
transforms C either to false (if C is unsatisfiable) or to a finite collection (Ci, ..., 
Ck} of constraints in solved form. A constraint in solved form is guaranteed to be 
satisfiable w.r.t. the underlying interpretation structure. Moreover, the disjunction 
of all the constraints in solved form generated by SATsst{C) is equisatisfiable to 
C in the structure. A detailed description of the constraint solver SATsst can be 
found in Dovier et al. (2000). 


Example 1 

Let C be (1, 2 | X} = {11 D} A 2 nin X. Then SATsst{C) returns, one by one, 
the following three answers, each of which is a constraint in solved form: Y = 
(2 I A} A 2 nin A A set(A); A = (11 A} A D = (2 | A} A set(A) A 2 nin A; and 
Y = (1, 2 I A} A 2 nin A A set(A) (where A is a new variable). 


3 The extended language CLP (PA) 

The constraint domain SET is extended so as to incorporate partial functions. 
The new constraint domain and the related language are called VT and CLP (PA), 
respectively. Since PA includes SET as a special case we will simply highlight what 
is new in PA with respect to SET. 
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As concerns syntax, our choice is to not introduce any special symbol to represent 
partial functions, since they can be easily represented as sets. Partial functions are 
just a particular kind of sets. Forcing a set to represent a partial function will be 
obtained at run-time by using suitable constraints on its elements. 

Definition 1 

We say that a set term r represents a partial function if r has one of the forms: 

{} or {[xi,ti], [X2,t2], ■ • ■ , [Xn,tn]} Or {[Xi,ti], [X2,t2], ■ • ■ , [Xn,tn] \ s}, and Xj, U, 
i = 1 ,... ,n, are terms, s is a set term representing a partial function, and the 
constraints Xj 7 ^ Xj, Xi ^ doms, hold for all i, j = 1 ,..., n, i 7 ^ j. 

A critical issue in the definition of VJ- is the choice of which operations over 
partial functions should be primitive —i.e., part of lie—and which, on the con¬ 
trary, should be programmed using the language itself. Minimizing the number of 
predicate symbols in He has the advantage of reducing the number of different 
kinds of constraints to be dealt with and, hopefully, simplifying the language and 
its implementation. On the other hand, having to implement such operations on top 
of the language may lead to efficiency and effectiveness problems, similar to those 
encountered with the implementation of partial functions using {log} discussed in 
Section [H 

Our choice is to extend the set He of constraint predicate symbols with the 
following four predicate symbols: 

dom, ran, comp, pfun 

The intuitive interpretation of these predicate symbols is: dom(r, a) (resp. ran(r, a)) 
holds iff a is the domain (resp., range) of the partial function r; comp(r, s, t) holds 
iff the partial function t is the composition of the partial functions r and s, i.e. 
t = {[x,z\ : 32/([x, j/] S r a [y, z] G s)}; pfun(r) holds iff r is a partial function. 

Atomic predicates based on these symbols are the only primitive constraints that 
CLP(7^J^) offers to deal with partial functions (let us simply call these constraints 
VJ--constraints). A (general) {S£T,W)-constraint is just a conjunction of primi¬ 
tive constraints built using the enlarged He, i.e. {=, in , un, disj, <, size, set, integerjU 
{dom, ran, comp, pfun}. 

The following theorem ensures that the primitive constraints are sufficient to de¬ 
fine most of the common operations on partial functions as {SSV, PJ^)-constraints. 
Complete proofs of this and the remaining theorems are available on-line at http: //people 
Many of these theorems were formally proved using the Z/EVES proof assistant 
(jSaaltink 1997^ . 

Theorem 1 

Literals based on predicate symbols: dres (domain restriction), rres (range restric¬ 
tion), ndres (domain anti-restriction), nrres (range anti-restriction), rimg (relational 
image), opius (overriding) and id (identity) can be replaced by equivalent conjunc¬ 
tions of literals based on =, un, disj, dom, ran and comp. 
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Proof (sketch) 

The following equivalences hold: 


ndres(a, r, s) 


dres(a, r, b) A diff(r, b, s) 

nrres(6, r, s) 


rres{b, r, a) A diff(r, a, s) 

dres(a, r, s) 


dom(r, dr) A dom(s, ds) A inters(a, dr, ds) A subset(s, r) 

rres(6, r, s) 


un(s,t,r) A ran(s,rs) A ran(r, rr) 

A inters(6, rr, rs) A ran(t, rt) A disj(rs, rt) 

rimg(6, r,s) 


dres(&, r, rb) A ran(r6, s) 

oplus(r, s, t) 


un(rs, s, t) A ndres(ds, r, rs) A dom(s, ds) 

id(a, r) 


dom(r, a) A ran(r, a) A comp(r, r, r) □ 


Other common operations on partial functions can be defined in the same way. 
For example, the application of a partial function r to an element x can be easily 
defined in terms of primitive constraints as follows: apply(r, x, y) is true if and only 
if [x, y] m r holds. 

The ability to express operations on partial functions as {SET, T’J^)-constraints 
as stated in Theorem [T] allows us to not consider these operations in the definition 
of the constraint solver for CLP(7^J^) and to focus our attention only on the four 
primitive constraints based on pfun, dom, ran and comp. 

It is worth noting that the proposed subset of primitive predicate symbols is not 
the only possible choice. Roughly speaking, it is motivated by observing that: since 
a function is a tuple of the form {dom, law, ran), then choosing dom and ran seems 
a rather natural choice; the law can be given as membership predicates (i.e. apply) 
which is already part of the primitive constraints; pfun is easy to justify since it 
is necessary to state which sets are partial functions; finally, comp is justified by 
observing that it is hardly definable in terms of the other primitive constraints. 
However, proving that this subset of primitive constraints is the minimal one, as 
well as comparing our choice with other possible choices, in terms of, e.g., expressive 
power, completeness, effectiveness, and efficiency, is out of the scope of the present 
work. 


4 Constraint Rewriting Procedures 

For each primitive constraint symbol tt S He, we develop a constraint rewriting 
procedure specifically devoted to process that type of constraint. Basically, each 
procedure repeatedly applies to the input constraint C a collection of rewrite rules 
for TT until either C becomes false or no rule for tt applies to C. At any moment, C 
represents the constraint store managed by the solver. 

The rewrite rules have the following general form 

pre-conditions 

{Ci,...,c4^{q,...,cu 

where Ci and C[ are primitive {SET, PJ^)-constraints and pre-conditions are (pos¬ 
sibly empty) boolean conditions on the terms occurring in Ci,..., Cn. In order to 
apply the rule, all pre-conditions need to be satisfied. {Ci,..., Cn} —>■ {C},..., C'nf} 
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_r £ V_ 

{dom(r, r)} —>■ {r = 0} 

empty(a) 

{dom(r, a)} —>• {r = 0} 
empty(r) 

{dom(r,a)} —^ {a = 0} 

r = {[x,y\\rr'\ -iempty(a) 

{dom(r, a)} —>■ {a = {a;|rs}, [x, y] nin rr, dom(rr, rs)} 

r £ V a = {a;|rs} 

{dom(r, a)} —>■ {r = {[x,y]\rr},x nin rs, dom(rr, rs)} 
Fig. 1. Rewrite rules for dom. 


empty(q) -iempty(r) -iempty(s) 

{comp(r, s, g)} —>■ {ran(r, rr), dom(s, ds), disj(rr, ds)} 

q = {[x,z\\rq} -iempty(r) -iempty(s) 
{comp(r,s,g)} {r = {[x,y\\rr}, 
s = {\y, z\\rs},[x, z\ nin rq,\y,z\ nin rs, comp(rr, s, rg)} 

g£V r = {[x,y\\rr'\ -iempty(s) s^V 
{comp(r,s,g)} -)■ {s = {[y,z]\rs}, 
q = {[x, z\\rq\,[x,y\ nin rr,[y,z\ nin rs, comp(rr, s, rg)} 
or 

{comp(r, s, g)} —>■ {dom(s, ds), j/ nin ds,[x,y] nin rr, 
comp(rr, s, g)} 


Fig. 2. Rewrite rules for comp. 


(n, m > 0) represents the changes in the constraint store caused by the rule appli¬ 
cation. 

Some rewrite rules for dealing with single T^J^-constraints are shown in Figures 
[T] and [21 all of them can be found in the online appendix (Appendix A). Rewrite 
rules for all other primitive constraints can be found elsewhere (IDovier et al. 2000l 
IDal Palii et al. 2003p . 

The global organization of the solver for the new language—called SAT-pjr —is 
shown in Algorithm[TJ It makes use of two procedures: infer and STEP, infer is used 
to automatically add the constraints set, integer, and pfun to the constraint C to 
force arguments of primitive constraints to be of the proper type. For example, 
if C contains the constraint dom(r,a) then infer(C') will add to C the constraint 
pfun(r) Aset(a). The procedure STEP is the core part of SAT-pjr: it applies special¬ 
ized constraint rewriting procedures to the current constraint C and returns the 
modified constraint. The execution of STEP is iterated until a fixpoint is reached— 
i.e., the constraint cannot be simplified any further. Notice that STEP returns 
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false whenever (at least) one of the procedures in it rewrites C to false. Moreover, 
STEP(false) returns false. 


Algorithm 1 The CLP(7^J^) Constraint Solver 
procedure SAT-pt(C) 

C ^ infer(C') 
repeat 

C ^C- 

STEP(C'); 
until C = C"; 
return C 
end procedure 


When no rewrite rule applies to the considered PJ^-constraint then the cor¬ 
responding rewriting procedure terminates immediately and the constraint store 
remains unchanged. Since no other rewriting procedure deals with the same kind 
of constraints, the irreducible constraints will be returned as part of the constraint 
computed by SAT-pj^. Precisely, if X and Xi are variables and f is a term (either a 
variable or not), the following T^J^-constraints are dealt with as irreducible: 

1 . dom(Ai,A 2 ), where Xi and X 2 are distinct variables; 

2. ran(A, f), where t is distinct from X and t is not the empty set; 

3. comp(Ai,f, A 3 ) or comp(t, A 2 , A 3 ), where t is not the empty set; 

4. pfun(A) and there are no constraints of the form integer(A) in C. 


Roughly speaking, the irreducible constraints are these because we are not able to 
rewrite them to finite conjunctions of primitive (SS'T, 7^A)-constraints. In partic¬ 
ular, solving the constraint ran(A, f), where f is a set term not denoting the empty 
set, would amount to solve the formula '\/x{x € X 3y, z(x =[y,z\f\z€t)) which 
is not expressible as a finite conjunction of primitive {SET , 7^J^)-constraints. Notice 
that, conversely, the case dom(A, <), where f is a set term (e.g. dom(A, {!})), can be 
easily rewritten to a finite conjunction of primitive constraints since the cardinality 
of A is necessarily that of t; hence this constraint is not dealt with as irreducible. 

For all other primitive {SET, 7^A)-constraints, SATpjr uses the rewriting rules of 
CLP(5fT) and the irreducible form constraints it returns are all iSfT-constraints 
in solved form (cf. Sect. [2] and Dovier et al. (20001). Observe that, a constraint 
composed of only solved form literals is proved to be always satisfiable. 


Example 2 
Constraint rewriting. 

• dom({[a, 1], [ 6 , 2], [c, 1]}, D) is rewritten to D = {a, b, c} 

• dom({[a, 1]}, {&}) is rewritten to false 

• comp({[l, &]}, B, {[1, a]}) is rewritten to B = {[ 6 , a]|i3i?} A [ 6 ,a] nin BRA 
pfun{BR) A dom(i?i?, D) A b nin DA set{D) 

• inters({A}, {!}, £>) A dom{R,D) A ran(i?, 0) is rewritten to H = 0 A i? = 
0 A A neq 1 
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• apply(_F, X,y) Adom(F, D) AX Cm D is rewritten to false. 


Note that with the implementation of dom and ran as user-defined {log} predi¬ 
cates (see Cristia et al. (20131) the last goal would loop forever. 

The SAT-pjr procedure is proved to be always terminating. 


Theorem 2 {Termination) 

The SAT-pjr procedure terminates for every input constraint C. 


The termination of SAT-pj^ and the finiteness of the number of non-deterministic 
choices generated during its computation guarantee the finiteness of the number of 
constraints non-deterministically returned by SATpjr. Therefore, SATpjr applied 
to a constraint C always terminates, returning either false or a (finite) disjunction 
of {SET: 7^-F)-constraints in a simplified form. The following theorem proves that 
the collection of constraints in irreducible form generated by SATpp preserves the 
set of solutions of the input constraint, hence, it is correct. 


Theorem 3 {Eguisatisfiability) 

Let C be a constraint, Ci, ..., be the constraints obtained from SATpp{C), a be 
a valuation of C and CiV.. .VC^, expanded to the new variables possibly introduced 
into Cl,... ,Cn by the rewrite procedures, and App be the interpretation structure 
associated with the constraint domain VT. Then, App ^ o’(C') if only if 
App 1= (7{Ci V ... V C„). 


If at least one of the constraints Ci returned by SATpp{C) contains only prim¬ 
itive 5i£T-constraints then, according to Dovier et al. (20001, Ci is in solved form 
and it is surely satisfiable. Therefore, in this case, thanks to Theorems [2] and [3l we 
can conclude that the original constraint C is surely satisfiable. 

Unfortunately, this is not always the case, as discussed in the next section. 


5 pf-domains 

Differently from CLP {SET), the simplified constraint returned by SATpp is not 
guaranteed to be satisfiable. 

Example 3 

The following {SET, PJ^)-constraint 

dom(ii, D) A R neq 0 A un(Zl, Y, Z) A disJ(Zl, Z) 

is an irreducible constraint but it is clearly unsatisfiable (the only possible solution 
for un(Zl, Y, Z) A disJ(Zl, Z) is D = 0, but D = 0 if and only if i? = 0). 

Thus, differently from CLP {SET), the ability to produce a collection of con¬ 
straints in an irreducible form from the input constraint C cannot be used to 
decide the satisfiability of C. As many concrete solvers, e.g. the CLP {TV) solvers, 
SATpp is an incomplete solver. Thus, if it returns false the input constraint is 
surely unsatisfiable, whereas if it returns a constraint in irreducible form then we 
cannot conclude that the input constraint is surely satisfiable. 
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In order to obtain a complete solver, we provide a way to associate a finitely 
representable domain to each partial function variable and to force these variables 
to get values from their associated domains, i.e. to perform labeling on them. This is 
obtained by defining a new primitive constraint pfun, of arity 2, with the following 
interpretation; pfun(r, n) holds if and only if r S X -it> T A n G N A |r| < n. 

The solutions of pfun(r, n) are all the partial functions r with cardinality less 
than or equal to n. The ability to represent domains and ranges of partial functions 
as partially specified sets, i.e. sets containing unbound variables as their elements, 
allows us to provide a finite representation for the (possibly infinite) set of all 
solutions of pfun(r, n). For example, the set of solutions for pfun(r, 2), where r is 
a variable, can be represented by the following equisatisfiable disjunction of three 
primitive constraints: r = 0 V r = {[X, F]} V r = {[Xi, Fi], [X 2 , F 2 ]} A Xi neq X 2 . 

We will call the set of partial functions represented by these constraints the pf- 
domain of the pf-variable r. pf-domains represent in general infinite sets but they 
are finitely representable in our language. 

^From an operational point of view, solving pfun(r, n), with n a constant natural 
number, non-deterministically computes, one after the other, all the n + 1 possible 
assignments for r. Therefore, solving pfun(r, n) allows us to perform a sort of la¬ 
beling over the pf-variable r. Note that, differently from pfun(r), pfun(r,n) has no 
irreducible form. If r is an unbound variable (n is required to be a constant num¬ 
ber), then solving pfun(r, n) always generates an equality for r, along with possible 
inequality constraints over the elements in the domain of r. 

The labeling process involved in pfun/2 constraints do not compromise termi¬ 
nation of the procedure SAT-pjr since the set of possible values to be assigned to 
partial function variables through labeling is anyway finite. Moreover, assuming 
our domain of discourse is limited to finite partial functions, it is straightforward 
to see that the rewriting rules for pfun/2 preserve the set of solutions of the input 
constraint. Thus we can immediately extend to pfun/2 constraints the results of 
Theorems [2] and [S] 

Solving pfun/2 constraints allows pf-variables to always get a value, although it 
can be a non-ground value. This is enough, however, to guarantee that all VT- 
constraints are completely eliminated at the end of the computation. 

Lemma 1 

Let C be an input constraint and Vi,... ,Vn all the pf-variables occurring in C. If 
C contains pfun(Fi, fci) A • • • Apfun(Idi, kn), fci,..., G N, then SAT'pj^{C) returns 
either false or a disjunction of iSfT-constraints in solved form. 

Remembering that iSfT-constraints in solved form are always satisfiable. Lemma 
[1] guarantees that, if the input constraint C contains pfun/2 constraints for all the 
pf-variables occurring in it and SAT'pjr{C) does not terminate with false, then the 
disjunction of constraints returned by SAT-pjr^C) is surely satisfiable. Since SAT-pjr 
is proved to preserve the set of solutions of C (cf. Theorem [3]), then we can conclude 
that in this case C is satisfiable. 

Hence, by properly exploiting pfun/2 constraints, we get a complete solver. This 
means that, once fci,..., are fixed, our solver can detect all cases in which the 
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input constraint is unsatisfiable, as well as all cases in which the input constraint 
is satisfiable and, in these cases, it can generate all viable solutions. 

Example 4 

The following constraints are rewritten to either false or to a solved form constraint, 
whereas they are left unchanged if no pf-domain is specified. 

• dom(i?, H) A D neq 0 A un{D,Y, Z) A disj(Zl, Z) A pfun(i?, 5) is rewritten to 
false 

• ran(X, {l})Aun(X, Y, Z)Apfun(X, 5) is rewritten to the solved form constraint 
(first solution): X = {[Al, 1]} A Z = {[A, I]]!"} A set(y). 


6 Improving constraint solving 

^From a more practical point of view, having to perform labeling for pf-variables 
may cause unacceptable execution time in some cases. For example, the constraint 

dom(i?, Dl) A dom(i?, D2) A D1 neq D2 A pfun(i?, k) 

is proved to be unsatisfiable, but only for relatively small values of k. 

To alleviate this problem, we introduce a number of new rewrite rules—hereafter 
simply called inference rules —that allow new constraints to be inferred from the ir¬ 
reducible constraints. The presence of these additional constraints allows the solver 
to deduce possible unsatisfiability of the given constraint without having to resort 
to any labeling process, thus improving the overall efficiency of constraint solving 
in many cases. 

The inference rules are applied by calling function infer_rules just after the iter¬ 
ation of STEP ends finding a fixpoint (see Algorithm [T|) . infer_rules(C') applies all 
possible inference rules to all possible primitive constraints in C. After the rules 
have been applied, possibly modifying C, the STEP loop is repeated from the begin¬ 
ning. Only when both STEP and infer_rules do not modify C, then the new global 
constraint solving procedure—called SATfjjr —ends. 

Some of the inference rules used by SAT!pjr are shown in Figure [31 all of them 
can be found in the online appendix (Appendix A). Each inference rule captures 
some property of the primitive operators for partial functions, possibly relating 
these operators with other general operators, such as inequality (constraint neq) 
and set cardinality (constraint size). All rules take into account one or two primitive 
constraints at a time and add new primitive constraints to the constraint store. 

Example 5 

The following constraints are all proved to be unsatisfiable using SATtpjr (see the 
applied rules in Figure [3]): 


dom(A, Dl) A dom(A, Z)2) A neq D2 (rule ([T])) 

ran(A,DA) ADA neq 0 A disJ(A, Z) A un(A, A, Z) (rule Q) 

dom(A, DA) A size(A, A) A size(DA, M) A A neq M (rule ([3])) 

comp({[a, 1]}, Y, Z) A dom(Z, DZ) A a nin DZ A Z neq 0 (rule (jl])) 


un(A, A, Z) A dom(A, D) A dom(A, D) A dom(Z, DZ) A D neq DZ (rule ([3])) 
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{dom(r, a), dom(r, b)} —> {dom(r, a), a = 6} 

^ V 

{ran(r, a),r neq 0} —> {ran(r, a),r neq 0, a neq 0} 


{dom(r, a)} —>■ {dom(r, a), size(r, n), size(a, n)} 


{comp(r, s, ?)} -i> {comp(r, s, q), 

dom(g, a), dom(r, 6), subset(a, b)} 


{un(r, s, q), pfun(g)} -i> {un(r, s, q), pfun(q), 

dom(r, dr), dom(s, ds), dom(g, dq), 
un(dr, ds, dq)} 


( 1 ) 

( 2 ) 

(3) 

(4) 

(5) 


Fig. 3. Some inference rules. 


The same constraints of Example [5] but using SAT-pj^, that is without applying 
any inference rule, are simply treated as irreducible. On the other hand, adding 
constraints pfun/2 to perform labeling on pf-variables would allow SATpjr to detect 
the unsatisfiability for all these constraints, but only when the specified partial 
function cardinalities are relatively small the response times would be practically 
acceptable. 

Termination of the improved constraint solver is stated by the following theorem. 
Theorem 4 (Termination of SATlpjA) 

The SATftjr procedure can be implemented in such a way that it terminates for 
every input constraint C. 

Soundness of the extended solver SAT^pjr comes from soundness of SATpp and 
from the following theorem, which ensures that the added constraints do not modify 
the set of solutions of the original constraint. 

Theorem 5 {Equisatisfiability of inference rules) 

Let S' be a constraint and S' be the constraint obtained from the inference rules. 
Then S' is equisatisfiable to S with respect to the interpretation structure App. 

SAT!pjr is still not a complete solver unless pfun/2 is used for all pf-variables. As 
a counterexample, consider the following constraint 

ran(A, {!}) A ran(F, {1, 2}) A dom(A, D) A dom(y, D) A disj(A, Y). 

This constraint is unsatisfiable with respect to App^ but SATf,jr is not able to 
prove this fact (it simply leaves the constraint unchanged). 

New inference rules could be added to the solver to detect further properties 
of the partial function domain, thus avoiding as much as possible the need for 
pfun/2 constraints. However, finding a collection of inference rules that guarantees 
to obtain a complete solver, regardless of the presence of pfun/2 constraints, seems 
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to be a difficult task. Moreover, checking the constraint store to detect applicable 
inference rules may be quite costly in general. Thus, the solution we adopted is 
based on finding a tradeoff between efficiency and completeness, as usual in many 
concrete constraint solvers. Only those properties that require relatively small effort 
to be checked are taken into account by the solver. For all cases not covered by the 
inference rules, however, solver’s completeness is obtained by exploiting pf-domains 
and pfun/2 constraints. Further empirical assessment of the solver may lead to 
review the current choices and provide additional inference rules in future releases. 


7 Empirical Assessment 

In this section we present how the new version of {log} (i.e. 4.8.2-2) improves its 
efficiency and effectiveness when solving formulas including partial functions and 
their operators. To do so we have generated more than 2,000 goals, some of which 
include partial functions and the related operators. These goals have been used to 
evaluate {log} 4.8.0 as a test case generator for Fastest, a model-based testing tool 
(jCristia et al. 2013| . Besides, these goals have been generated by Fastest from 10 
different Z specifications, some of which are formalizations of real requirements and, 
in general, they cover a wide range of applications—totalizing around 3,000 lines of 
Z code. These goals not only include partial functions, but also sets (in particular 
intentional sets), integer and relational constraints. Thus, we consider that they are 
a representative sample. 

In this assessment, we want to know: (f) how many satisfiable and unsatisfiable 
goals are found by {log}; {ii) how long it takes to process all the goals; (Hi) how 
{log} performs in each task compared with version 4.8.0 (which do not include 
partial functions as primitive constraints). 

Experiments were run on a 4 core Intel Core"'"'^ i5-24I0M CPU at 2.30GHz with 
4 Gb of main memory, running Linux Ubuntu 12.04 (Precise Pangolin) 32-bit with 
kernel 3.2.0-80-generic-pae. {log} 4.8.0 and 4.8.2-2 over SWI-Prolog 6.6.6 for 1386 
were used during the experiments. A 10 seconds timeout was set as the maximum 
time that {log} can spend to give an answer for a goal. 

Table [T] displays the results of the experiments. The meaning of the columns 
is as follows: Z Spec, Z specification; Goals, number of goals processed during 
the experiment; S, number of satisfiable goals detected as satisfiable; U, number 
of goals detected as unsatisfiable; A, percentage of goals for which {log} gives a 
meaningful answer (i.e. A = 100(S -I- U)/Goals); T, time spent by {log} during 
the entire execution. 

As can be seen, {log} 4.8.2-2 outperforms 4.8.0 in almost all sets of goals. In 
effect, in all sets but two (SWPDC and Sec. class) 4.8.2-2 gives more right answers 
and in less time than 4.8.0. Note that 4.8.2-2 hits 100% of right answers in 5 sets of 
goals while 4.8.0 does it only in 2. Also note the impressive time reduction in, for 
example. Launcher. Given that giving more right answers in less time is the best 
behavior, we can define QI, for quality index, as QI = [100 * A/TJ. Then, the 
higher the QI the better, {log} 4.8.2-2 has higher or equal QI than 4.8.0 in all but 
one set of goals. 
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Table 1. Summary of empirical assessment 


Z Spec 

Goals 


4.8.0 



4.8.2-2 


S 

U 

A 

T 

S 

U 

A 

T 

SWPDC 

196 

97 

26 

63% 

1,238 

99 

26 

64% 

1,402 

Plavis 

232 

151 

36 

81% 

510 

151 

33 

79% 

510 

Scheduler 

205 

27 

85 

55% 

945 

38 

161 

97% 

125 

Sec. class 

36 

20 

16 

100% 

11 

20 

14 

94% 

31 

Bank (1) 

100 

23 

39 

62% 

388 

25 

75 

100% 

28 

Bank (3) 

104 

50 

35 

82% 

211 

52 

49 

97% 

64 

Lift 

17 

17 

0 

100% 

6 

17 

0 

100% 

6 

Launcher 

1,206 

0 

1,093 

91% 

1,334 

23 

1,183 

100% 

370 

Symb. table 

27 

11 

10 

78% 

68 

11 

16 

100% 

9 

Sensors 

16 

7 

3 

63% 

54 

8 

8 

100% 

5 

Totals 

2,139 

403 

1,343 

- 

4,769 

444 

1,565 

- 

2,552 


In summary, the experimental results show that adding constraints for partial 
functions as {logYs primitive constraints greatly improves its efficiency and effec¬ 
tiveness as a constraint solver for a very general theory of sets. 


8 Conclusions 

In this paper we have shown how to integrate partial functions as first-class citizens 
into the CLP language with sets {log}. Since partial functions can be viewed as sets, 
they are embedded quite smoothly into {log}, and all facilities for set manipulation 
offered by {log} are immediately available to manipulate partial functions as well. 
We have added to the language a very limited number of new primitive constraints, 
specifically devoted to deal with partial functions and we have provided sound and 
terminating rewriting procedures for them. The resulting constraint solver either 
terminates with false or with a disjunction of simplihed constraints which the solver 
cannot further simplify (i.e., irreducible constraints). We have identihed conditions 
under which the ability to generate such a disjunction guarantees the satishability 
of the input constraint. Moreover, we have defined a number of inference rules that 
allow the solver to detect, in many cases, unsatisfiability even in the more general 
situations (e.g. without requiring to specify an upper bound for the cardinality of 
partial functions). 

For the future, there are two main correlated lines of work: (f) identifying more 
precisely the class of irreducible constraints which are guaranteed to be satisfiable; 
so far this class is restricted to irreducible constraints not containing pf-constraints, 
but it is likely to be enlarged to include pf-constraints as well, at least of some spe¬ 
cific form (e.g., those which contain only unbound variables, thus excluding for 
instance the irreducible constraints of the form ran(X, {... })) (ii) defining new in¬ 
ference rules that allow further “hidden” properties of irreducible constraints to be 
made explicit, in order to make constraint solving more and more “precise”; that 









Adding Partial Functions to CLP with Sets 


15 


is, on the one hand, to allow the solver to detect more and more unsatisfiable con¬ 
straints and, on the other hand, to allow the class of irreducible constraints whose 
satisfiability can be decided without the need to perform any labeling operation to 
be enlarged as much as possible. 
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